fix(webkitgtk): mark custom URI schemes as CORS-enabled

webkit2gtk 2.46 added a requirement that custom URI schemes registered
via `webkit_web_context_register_uri_scheme()` must ALSO be in the
CORS allow-list (`webkit_security_manager_register_uri_scheme_as_cors_enabled()`)
for the host's handler to be invoked on top-level navigations.

Previously wry only called `register_uri_scheme_as_secure()`. On
webkit2gtk ≤ 2.44 (Ubuntu 22.04 / 24.04) this was sufficient. On
webkit2gtk 2.46+ (Ubuntu 26.04, Fedora 40+, Arch rolling) webkit
silently bypasses the handler and falls through to the default
network loader.

Symptom for Tauri apps: the bundled UI loaded via `tauri://localhost/`
fails to render and the webview shows "Could not connect to localhost:
Connection refused" because the request lands at `http://localhost:80/`
where nothing's listening.

The CORS-enable call is a no-op on older webkit2gtk so the patch is
safe across versions.

Verified end-to-end on Ubuntu 26.04 LTS aarch64 with webkit2gtk
2.52.0: before, custom-scheme load shows the connection-error page;
after, the embedded UI loads correctly.

Author: bssingh

.changes/webkit-cors-enable-scheme.md

@@ -0,0 +1,16 @@
+---
+"wry": patch
+---
+
+On Linux, mark custom URI schemes as CORS-enabled (in addition to
+secure) when registering them with webkit2gtk. webkit2gtk 2.46+ added a
+requirement that the scheme be in the CORS allow-list for the host's
+custom-scheme handler to be invoked for top-level navigations; without
+it webkit silently bypasses the handler and routes the request through
+the default network loader. Symptom for Tauri apps on Ubuntu 26.04 /
+Fedora 40+ / Arch rolling: the bundled UI fails to load and webview
+shows "Could not connect to localhost: Connection refused" because
+`tauri://localhost/` gets interpreted as `http://localhost:80/`.
+
+The new call is a no-op on webkit2gtk ≤ 2.44 so the patch is safe on
+Ubuntu 22.04 / 24.04.

src/webkitgtk/web_context.rs

@@ -133,13 +133,23 @@ impl WebContextExt for super::WebContext {
   {
     self.register_custom_protocol(name.to_owned())?;
 
-    // Enable secure context
-    self
+    // Enable secure context + CORS for the scheme. webkit2gtk 2.46+
+    // requires the scheme to be CORS-enabled or webkit silently bypasses
+    // the registered handler and routes the request through the default
+    // network loader. Symptom for callers using a custom scheme like
+    // `tauri://localhost/`: the load lands as `http://localhost:80/` and
+    // shows "Could not connect to localhost: Connection refused" instead
+    // of the embedded asset.
+    //
+    // The CORS-enable call is a no-op on webkit2gtk ≤ 2.44 (Ubuntu 22.04
+    // / 24.04) so it's safe to add unconditionally.
+    let security_manager = self
       .os
       .context
       .security_manager()
-      .ok_or(Error::MissingManager)?
-      .register_uri_scheme_as_secure(name);
+      .ok_or(Error::MissingManager)?;
+    security_manager.register_uri_scheme_as_secure(name);
+    security_manager.register_uri_scheme_as_cors_enabled(name);
 
     self.os.context.register_uri_scheme(name, move |request| {
       #[cfg(feature = "tracing")]